In this series of four posts, I'll take you through a feature of Office 365 called Secure Score. In today's post, I will focus on multi-factor authentication (MFA) for administrators.

The aim of Secure Score is to gamify the security controls Microsoft offers and earn points as you turn them on. It also lets you compare your tenant's score to how others are doing.

I suggest you follow along in your own tenant. But if you already have a production tenant with lots of users, please try these steps out in a trial tenant first before you carefully guide your fellow administrators and users down the security path.

Get started with MFA for administrators

Start by logging in to your tenant at You won't find Secure Score in the main admin center nor in the Security and Compliance area. You have to go to instead.

Secure Score main dashboard

Secure Score main dashboard

There are two tabs: one provides your current score, and one tracks the changing score over time. On the first tab is a list of actions you can take to improve your score and secure your tenant. My tenant is starting off at 26 points. Microsoft suggests a target of 297 (with a max of 432). Achieving 297 will take me 26 different actions, so let's get started. Note that the average Office 365 tenant Secure Score sits at 29!

A slider lets you set your target score. If I slide it all the way to the right, the max score goes up to 432, but I will have 52 actions to take. Actions listed as [Not Scored] increase the security of your tenant but do not improve your score because they're not wired up to the Secure Score portal (yet).

Protecting your admin accounts with MFA

The action at the top of the list enables MFA for all global admins in the tenant. This is the only action worth 50 points. This makes sense because if there's a breach to one of your global admins, it's essentially game over. This is similar to a hacker obtaining DA or domain admin credentials in an on-premises breach. It's worthwhile protecting your administrators.

Enable MFA for all global admins

Enable MFA for all global admins

I click Learn more, which opens a blade with more information of the impact of this change, who it is going to affect, and the ability to inform the affected users. Clicking Launch Now takes me to an Azure Active Directory (AAD) page where I can enable MFA for my two global admin users.

Enable MFA for all global admins in AAD

Enable MFA for all global admins in AAD

After doing that, take a look at the Settings tab. You can also elect to have specific trusted devices remember a successful MFA for a number of days; I picked 7. This does introduce a somewhat higher risk for lost or stolen devices, in which case you'll need to restore MFA to all devices quickly.

AAD settings for MFA for Office 365

AAD settings for MFA for Office 365

The main setting to consider is to define IP address ranges of your intranets that don't require MFA. This will vastly reduce your users' irritation factor with MFA because it will only prompt them when out of the office.

You can also turn off specific verification methods out of the four available: call to phone, text message to phone, mobile app notification, or verification code from mobile app. Out of these the second one will be the one your security team may have issues with. The SMS network worldwide is about as full of holes as a Swiss cheese, and many successful attacks have exploited this. But don't let that deter you; having MFA turned on even with SMS messages is much better than not having it enabled at all.

Log out of the Office 365 admin portal and then log back on. It will prompt you to configure MFA for your account. Clicking Set it up now will take you to a screen where you can pick a call or text to your mobile, call to a landline, or use the mobile app.

Protecting an admin account with MFA in Office 365

Protecting an admin account with MFA in Office 365

I told it to Call me on my mobile, clicked Next, received the call, and pressed the pound key to verify. The last screen provides the app password to use for applications that don't support MFA directly.

Final login after MFA enabled

Final login after MFA enabled

Complete your login to the admin portal with another MFA prompt, and you're now ready to administer more securely. If you haven't set up contact details for the account such as a mobile phone and non-Office 365 email address, it will prompt you for these.

Another wrinkle to take into account is PowerShell, if your administrators use this to manage your Office 365 tenant. You can find instructions for Exchange online access with MFA here. Don't expect immediate updates to your score. Secure Score evaluates it once a day at 1:00 a.m. PST, and it can take several days for your score to go up.

The best option for MFA is probably the Authenticator app, available for iOS, Android, and Windows Phone. To enable this as an option for your account, go to, log in, and click your name in the top right-hand corner. Pick Profile and select Additional security verification, and then click Authenticator app and Configure.

A quick response (QR) code will display on the screen of your PC. In the Authenticator app on your phone, pick Add school or work account, and let your phone camera scan the QR code. After doing this, you can use the app to verify an MFA prompt instead of a phone call or texted code. On modern iPhones, you can also use the fingerprint scanner to verify an MFA prompt.

Subscribe to 4sysops newsletter!

Securing your identity with the Microsoft Authenticator app

Securing your identity with the Microsoft Authenticator app

Sander Berkouwer wrote an excellent series on Azure MFA here at 4sysops. In the next post, we'll look at MFA for end users and enabling audit logging for your Office 365 tenant.

  1. Avatar
    Bilal 5 years ago


    I was wondering if you know where to find a complet list of the baseline of microsoft of each secure score point.
    The points you see in the are the scores you need to implement based on your license and your services. But i was wondering if I could find a complete list of all the points. And which license I need for each one of them.

    Tried to find this in the following  Microsoft documentations :



    neither of the above gives me a complete list of all the score points available

    The following blog does and even with what license and add ons i need for certail secure points.
    Not for all of them unfortunately , that’s why i tried to ask it here



  2. Avatar Author

    Hi Bilal,

    Unfortunately I don’t know where to find a list like that, although the link to the blog post you gave certainly is comprehensive. Since I wrote this article series Office Secure Score has turned into Microsoft Secure Score and it’s showing up in more places. It’ll be interesting to see how it evolves over the next couple of years.

    If you find a good list please post it here 🙂

    /Paul Schnackenburg

  3. Avatar
    Jeffery Birks 4 years ago

    Hi Bilal,

    I recently heard that Microsoft was simplifying presentation of the security requirements by using a banded solution similar to NORADS DefCon rating (1 to 5 value as seen in the film Wargames).

    Is the secure score solution connected with this ?

  4. Avatar Author

    Hi Jeffery,

    I haven't heard about the 1-5 rating from Microsoft – where did you hear that? Got a link?

    Paul Schnackenburg

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account